1 / 33

BASHing iOS Applications

BASHing iOS Applications. dirty, s* xy , cmdline tools for mobile auditors. Whoami ?. Director of Pentesting – Fortify on Demand Leader of ShadowLabs group iOS application Hacker OWASP Mobile Top Ten Leader OWASP iOS assessment Cheat Sheet leader OWASP SB Leader

ifama
Download Presentation

BASHing iOS Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BASHingiOSApplications dirty, s*xy, cmdline tools for mobile auditors

  2. Whoami? • Director of Pentesting– Fortify on Demand • Leader of ShadowLabs group • iOS application Hacker • OWASP Mobile Top Ten Leader • OWASP iOS assessment Cheat Sheet leader • OWASP SB Leader • Proud husband and father!

  3. Whoami? • Mobile Security Consultant – Fortify on Demand • Python coder • Hunter of bugs • Ninja crafter • Herder of extremely well-behaved hackers-in-training

  4. What are we doing here? • Mobile app testing tools are fragmented!

  5. Mobile App testing tools are fragmented!

  6. What are we looking for?

  7. TLDR; expertise needed to assess a mobile app in-depth is high.Testers need better solutions: faster, more cost-effective.

  8. Is this you? • Do one of these categories describe you? • New to mobile • Large enterprise with LOTS of mobile apps • Worried about impact of BYOD • You need a better solution too.

  9. Anatomy of a better solution • Quick • Blackbox capable - no source required • Good coverage with low effort/expertise • Automatable • Manageable learning curve

  10. Let’s make some buckets… Tool Domains and Purpose

  11. Where does this lead us? • Source scanners limit our scope • Reversing and runtime tools have steep learning curve • We already know how to do network/server • What’s left?

  12. What’s left? • Binary analysis • No source required • Doesn’t SOUND easy/quick • Automatable? • File system • No source required • Probably automatable • Easy? Quick?

  13. What’s in YOUR binary?

  14. iOS.sh https://github.com/jhaddix/ios_sh

  15. BINARY TOOLS(mostly non-runtime & require a JB device)

  16. Cracking Apps • Remove Apple’s encryption! • Clutch • https://code.google.com/p/iphone-clutch/downloads/list • Rasticrac • Has some built-in magic to detect different versions of ARM and anti-cracking code. • https://twitter.com/iRastignac • Uses GDB

  17. Binary *Disassembly* and Parsing • otool • https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/otool.1.html • Good for parsing out: • Architectures • Frameworks • Binary protection usage (PIE, Stack Smashing) • Code Quality (ARC) • Also important: most of the above is unencrypted strings data. This means that strings, grep, sed, and awk are magical!

  18. Poor Man’s Disassembly • Application binaries contain LOTS of relevant strings • The “strings” command can be revealing • Method names • Web service URLs • SQL query strings • API secrets, crypto keys, passwords

  19. Vulnerability Detection with grep • Use strings from binary to zero in on issues • Presence of deprecated/known vulnerable methods • Vulnerable coding practices (SQL injection) • Pro: Fast, easy to code • Con: Without source, confidence level may vary – no context

  20. Putting it all together • Install app • Crack app • Extract headers, symbols, and frameworks (otool) • Extract binary strings (strings) • Search for known patterns (grep) • This can all be wrapped in a scripting language of your choice!

  21. Binary Analysis • Quick • No source required • Covers six Mobile Top 10 categories • Very easy to automate • Low technical learning curve

  22. But wait, there’s more!(we didn’t actually run the app yet)

  23. Plists and DBs and caches, oh my!

  24. Artifact Inspection • Cookie Reader: • http://www.securitylearn.net/2012/10/27/cookies-binarycookies-reader/ • File monitor: • http://bit.ly/16TeiqJ (or binutils) • Keychain dumper: • https://github.com/ptoomey3/Keychain-Dumper • Log reader: • iPhone Configuration Utility or http://www.libimobiledevice.org/ API • Data Protection Class Parser: • http://www.securitylearn.net/2012/10/18/extracting-data-protection-class-from-files-on-ios/

  25. Putting it all together • Install app • Crack app • Extract headers, symbols, and frameworks (otool) • Extract binary strings (strings) • Search for known patterns (grep) • Launch app • Parse/search artifacts (more grep) • This can all be wrapped in a scripting language of your choice!

  26. DIY Mobile Assessment • Manual process = tedious • Tool fragmentation creates a learning curve • If each individual tool is a module in a larger assessment process, then what we really need is a framework.

  27. That’s too much stuff. I just don’t have the resources.

  28. DEMO Risker ENGINEDEMO RISKER Frontend

  29. Risker is eating a lot of Apples • Risker (ENGINE) is used in our Mobile Express offering • With this methodology and toolset , you can create your own Risker! • Frontend just launched • Currently crunching all the Apples

  30. Thanks! jason.haddix@hp.comdawn@hp.com

More Related